Title:Â Figma Make GitHub connection flow does not clearly indicate organization-wide repository access
Description:
When connecting GitHub to Figma Make, the setup flow does not clearly communicate that the GitHub integration operates at the organization level and that repositories may be shared across users within the organization.
As a result, repositories can receive content from other organization members' Figma Make projects, even when those projects are unrelated to the repository owner.
Â
Steps to Reproduce:
-
Connect GitHub to Figma Make.
-
Select a repository during setup.
-
Create or work on projects within Figma Make.
-
Observe content being pushed or appearing in the selected repository from projects created by other users in the same organization.
Expected Behavior:
-
The setup flow should explicitly state that the GitHub connection is organization-wide.
-
Users should be informed that other organization members may be able to push content to the selected repository.
-
Repository ownership, permissions, and sharing implications should be clearly explained before the connection is completed.
Actual Behavior:
-
The connection flow only provides a "Learn More" link and does not prominently disclose the organization-wide scope of the integration.
-
Users may assume the repository connection is private to their own Figma Make projects.
-
Unexpected projects can appear in a user's repository without prior awareness that this behavior is possible.
Impact:
This can create confusion around repository ownership, access control, and source provenance. It may also lead users to believe their repository has been misconfigured or accessed unexpectedly.
Â